Rate limit password attempts by pinentry.
Closed, ResolvedPublic


GPG Agent tries to prevent brute forcing the passphrase. However, it doesn't
rate limit pinentry. If an incorrect passphrase is entered, gpg agent should
sleep for 100ms before replying to pinentry thereby limiting the rate to 10
tries per second without noticeably impacting the user interaction. See issue
2034 for details.

neal added subscribers: dkg, neal.
werner added a subscriber: werner.Aug 3 2015, 11:30 AM

Each test for a passphrase takes about 100ms - thus you have your rate limit.

werner added a comment.Sep 9 2015, 4:31 PM

Is that okay or are concerned about keys with passphrsses generated on slower
boxes - they would indeed be checked faster than 100ms. Using gpg --passwd for
such keys adjusts the iteration count so that they will again be delayed by
about 100ms.

werner closed this task as Resolved.
werner claimed this task.